Chrony: erinevus redaktsioonide vahel

Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
 
(ei näidata sama kasutaja üht vahepealset redaktsiooni)
27. rida: 27. rida:
 
</pre>
  
</pre>
   
  +
seccomp leiab oma syscallid üles bfp-classic filtrite abil (neid ei esita 'bpftool prog show')
kus
  
   
 
<pre>
  
<pre>
55. rida: 55. rida:
 
</pre>
  
</pre>
   
või getpcaps abil
 +
või getpcaps abil (ep - effective, permitted)
   
 
<pre>
  
<pre>

Viimane redaktsioon: 4. mai 2026, kell 02:23

Sissejuhatus

TODO

Tööpõhimõte

TODO

Misc - chrony protsess

chronyd protsessi info 

root@pve-svc-02:~# pgrep chronyd
1436092
1436093
root@pve-svc-02:~# lsns -p 1436093
        NS TYPE   NPROCS     PID USER    COMMAND
4026531833 net       481       1 root    /sbin/init
4026531834 time      481       1 root    /sbin/init
4026531835 cgroup    481       1 root    /sbin/init
4026531836 pid       481       1 root    /sbin/init
4026531837 user      481       1 root    /sbin/init
4026531839 ipc       481       1 root    /sbin/init
4026533035 mnt         2 1436092 _chrony ├─/usr/sbin/chronyd -F 1
4026533036 uts         2 1436092 _chrony └─/usr/sbin/chronyd -F 1

seccomp leiab oma syscallid üles bfp-classic filtrite abil (neid ei esita 'bpftool prog show') 

root@pve-svc-02:~# cat /proc/1436092/status | grep -i seccomp
Seccomp:	2
Seccomp_filters:	23

root@pve-svc-02:~# nsenter -m -t 1436092 findmnt | grep inacc | sed -r 's/tmpfs\s+.*//'
│ └─/dev/kmsg                                                    tmpfs[/systemd/inaccessible/chr]
│ ├─/run/credentials                                             tmpfs[/systemd/inaccessible/dir]
│ ├─/run/user                                                    tmpfs[/systemd/inaccessible/dir]
├─/root                                                          tmpfs[/systemd/inaccessible/dir]
├─/home                                                          tmpfs[/systemd/inaccessible/dir]
├─/usr/lib/modules                                               tmpfs[/systemd/inaccessible/dir]

ning capabilities 

root@pve-svc-02:~# pscap -p 1436092
ppid  pid   uid         command             capabilities
1     1436092 _chrony     chronyd             net_bind_service, sys_time +

root@pve-svc-02:~# pscap -p 1436093
ppid  pid   uid         command             capabilities
1436092 1436093 _chrony     chronyd             net_bind_service, sys_time +

või getpcaps abil (ep - effective, permitted) 

root@pve-svc-02:~# getpcaps 1436092
1436092: cap_net_bind_service,cap_sys_time=ep

või /proc/PID/status abil 

root@pve-svc-02:~# cat /proc/1436092/status | grep ^Cap
CapInh:	0000000000000000
CapPrm:	0000000002000400
CapEff:	0000000002000400
CapBnd:	000001c08380fddf
CapAmb:	0000000000000000

root@pve-svc-02:~# capsh --decode=0000000002000400
0x0000000002000400=cap_net_bind_service,cap_sys_time

kus

  • CapInh: Inheritable (can be passed to children).
  • CapPrm: Permitted (the maximum "credit limit" of authority).
  • CapEff: Effective (the authority currently being used).
  • CapBnd: Bounding (the hard ceiling that cannot be exceeded).
  • CapAmb: Ambient (applies to unprivileged non-setuid binaries).

ning

ning systemd vastavad seadistused 

root@pve-svc-02:~# systemctl show chrony | egrep "^Prot|^Priv|^Capab" | egrep "restore$|yes$"
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_setgid cap_setuid cap_setpcap cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_nice cap_sys_resource cap_sys_time cap_setfcap cap_perfmon cap_bpf cap_checkpoint_restore
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectControlGroupsEx=yes
ProtectHome=yes
ProtectHostname=yes

Misc - chrony teenus

Seadistus 

root@pve-svc-02:~# egrep "pool|server" /etc/chrony/chrony.conf
# pool 2.debian.pool.ntp.org iburst

root@pve-svc-02:~# cat /etc/chrony/sources.d/local-ntp-server.sources
server 10.192.0.53 iburst

sources info 

root@pve-svc-02:~# chronyc sources -v -n

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current best, '+' = combined, '-' = not combined,
| /             'x' = may be in error, '~' = too variable, '?' = unusable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.192.0.53                   4   9   377   413   -135us[ -216us] +/- 3171us

tracking info 

root@pve-svc-02:~# chronyc tracking
Reference ID    : 0AC00035 (10.192.0.53)
Stratum         : 5
Ref time (UTC)  : Sun May 03 17:25:18 2026
System time     : 0.000016197 seconds slow of NTP time
Last offset     : -0.000080330 seconds
RMS offset      : 0.000049475 seconds
Frequency       : 0.712 ppm fast
Residual freq   : -0.006 ppm
Skew            : 0.085 ppm
Root delay      : 0.006004042 seconds
Root dispersion : 0.000445185 seconds
Update interval : 517.6 seconds
Leap status     : Normal

Kasulikud lisamaterjalid

  • TODO
Pärit leheküljelt "https://www.auul.pri.ee/wiki/index.php?title=Chrony&oldid=3439"